Configuring your content key via Keyseed

We often receive questions on how to configure content key via a key seed for PlayReady license services. However, Azure Media Services doesn’t store Key Seed into the system, here is why and how you could configure keys using a key seed even we don’t store it.

How Key Seed is being used?

Key seed is a very popular solution for years. When you statically encrypt your content for PlayReady, you could feed in your encryptor with Key ID and Key Seed. The encryptor will compute content key based on the key ID and Key Seed, and encrypt the content with this derived content key value. Key ID will be carried in the manifest. Key Seed will be stored with license server.

When player requests license, the license server will look up key seed paired with the key ID embedded in the manifest, compute Content Key value on the fly and return license contains the correct content key. There could be multiple key seeds for a libraries of content/content key id. The benefit of this approach is that you don’t have to store content key ID and content key in the database. By storing key seed only, you could compute the entire libraries’ content keys. However, that’s also the scary part, if key seed gets leaked somehow, your entire library will get decrypted. That’s also the reason why we choose not to store Key Seed in the system.

How you could use Key Seed in Azure Media Services?

Azure Media Services use Content Key ID and Content Key to encrypt stream dynamically. You could use the following method to generate Content Key based on the Key Seed and Content Key ID. However, our system doesn’t store your key seed.

Therefore, if you have 100 pieces of content, and you want to encrypt each with a unique, you will need to store 100 pairs of content key and key ID with Azure Media Services.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.